The Internet and its graphical user interface, the World Wide Web, are indispensable tools for all manner of communications and commerce. However, not all types of communications are appropriate for viewing by all people. Further, when transacting commerce via the Internet individuals generally insist upon some security measures to protect their sensitive information against compromise.
To address concerns regarding accessing of potentially inappropriate communications (and here Web sites and the like are considered to be a form of such communications), filtering technologies have been developed. These filters are software tools that can block access to specific Web sites and Internet services. Hence, the filters allow administrators or parents to selectively control what sort of communications can be accessed when employees or minors are “surfing” the Web using a personal computer and a Web browser. In some cases the filters are applied at the local computer level, while in other cases the filters are employed at computer systems (e.g., proxies) that act as gatekeepers between a personal computer or workstation and the Internet.
Security concerns, on the other hand, have been addressed through the use of encrypted communications between users' local computer systems and remote computer systems (called servers). Through an exchange of credentials that allow the local computer to verify the identity of the server (and, in some cases, vice-versa), the two computer systems establish an encrypted communication session with one another. Data (such as credit card numbers and the like) exchanged between the computer systems during this session is not visible to other computer systems (such as proxies) that may reside in the communication path between the user's local computer and the server. This affords the user some degree of privacy and security when conducting commerce or other, private transactions over the Internet.
While the use of encrypted communications is of great benefit in helping to facilitate commerce over the Internet, it does pose a problem for the filters discussed above. Because the data (called the plain text) is encrypted by the time it reaches the filters (whether the filters are deployed at the user's local computer or a proxy), the filters cannot determine whether or not the content represented by that data is subject to filtering under the rules prescribed by the filter administrator. Hence, the filter is rendered ineffective.
Recognizing this problem, proxy vendors have developed solutions that allow the encrypted communications to be “cracked” so that, for example, the underlying plain text from a server can be examined against the prescribed filing rules. If the content represented by this data is found to be inappropriate under the filtering rules, it is blocked. Otherwise, the data is re-encrypted and delivered to the user's local computer.
While this scheme allows content filters to operate on encrypted traffic exchanged between user's local computers and servers, it does compromise the very security which the encrypted communication scheme sought to establish in the first place. For example, if one considers an on-line banking transaction, which ordinarily would employ encrypted communications between the user's computer and the bank's server, by cracking the encrypted communications at a proxy disposed between these two systems the user's personal financial information and perhaps his/her log-in credentials for the bank's Web site become exposed and may be subject to compromise.
Perhaps an even more important limitation of this “proxy-in-the-middle” method is that it requires the client to trust everything that the proxy trusts. All secure communications are intercepted and the proxy acts as a “man-in-the-middle” replacing the server's certificate with its own, knowing the client will always trust the proxy even though the client may not always trust the endpoint to which the proxy is connected. That is, the endpoint's (e.g., an origin server's) certificate is never examined by the end user as it otherwise would be when a direct connection is made to the endpoint. Thus, this form of filtering for what are supposed to be secure communications is simply not acceptable to many individuals or institutions.
Nevertheless, simply because communications are encrypted is not a sufficient reason to allow the data associated with such communications to pass unfiltered. Malicious programs, such as worms and viruses could be disguised in such communications and, if not subject to filtering, would be allowed to pass unwittingly to a user's computer system or a server. Likewise, content deemed inappropriate by a network administrator or a parent could bypass filtering by being shrouded in an envelope of encryption. Hence, a methodology for filtering secure communications which nevertheless preserves the privacy of the information being exchanged and which ensures the user receives the original endpoint certificate is needed.